Bug 1399845 - RHQ 4.14.0 fails getting LDAP groups in authentication
Summary: RHQ 4.14.0 fails getting LDAP groups in authentication
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: RHQ Project
Classification: Other
Component: Configuration, Core Server
Version: unspecified
Hardware: All
OS: Linux
unspecified
low vote
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 21:43 UTC by Henry Molina
Modified: 2016-11-30 12:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-30 12:54:47 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Henry Molina 2016-11-29 21:43:49 UTC 
Hi All,

I have RHQ 4.14.0 + LDAP and the role mapping is failing.

The RHQ log for login action:

17:12:05,065 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-13) Letting in user [hmolina]  without any assigned roles.
17:12:05,297 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-13) Letting in user [hmolina]  without any assigned roles.
17:12:06,851 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-3) Letting in user [hmolina]  without any assigned roles.

The LDAP log for RHQ group search:

[29/Nov/2016:17:12:06 -0300] conn=1272 op=1 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=groupOfNames)(member=hmolina))" attrs="cn description"

The TestLdapSetting.jar tool shows the follow LDAP search with same setings:

STEP-4:TESTING: Using Group Search Filter '(&(objectclass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))', 4 ldap group(s) were located.

The LDAP log for TestLdapSetting.jar group search:

[29/Nov/2016:17:48:39 -0300] conn=1395 op=1 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))" attrs="cn description"

In short, RHQ has truncated the filter.

Right filter (TestLdapSetting.jar):
'(&(objectclass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))'

Wrong filter (RHQ):
"(&(objectClass=groupOfNames)(member=hmolina))"

Regrads,

Henry.
Comment 1 Henry Molina 2016-11-30 12:54:47 UTC 
Solved.

LDAP groups works fine for non posix groups.
Note You need to log in before you can comment on or make changes to this bug.